<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->


<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="(Optional) Step 2: Creating an IPsec Policy">
<meta name="product" content="">
<meta name="DC.Relation" scheme="URI" content="GBase_8a_00021.html">
<meta name="prodname" content="">
<meta name="version" content="">
<meta name="brand" content="30-OceanProtect Appliance 1.5.0-1.6.0 Help Center">
<meta name="DC.Publisher" content="20241029">
<meta name="prodname" content="csbs">
<meta name="documenttype" content="usermanual">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="GBase_8a_00024">
<meta name="DC.Language" content="en-us">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>(Optional) Step 2: Creating an IPsec Policy</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="GBase_8a_00024"></a><a name="GBase_8a_00024"></a>

<h1 class="topictitle1">(Optional) Step 2: Creating an IPsec Policy</h1>
<div><p id="GBase_8a_00024__en-us_topic_0000001792344098_p618831644613">After IPsec policies are created for replication network logical ports on the storage devices at both ends of a replication link, data to be transmitted is encrypted during remote replication to ensure data security. To create such IPsec policies, you must perform the following operations on the storage devices at both ends of the replication link.</p>
<div class="section" id="GBase_8a_00024__en-us_topic_0000001792344098_section387343573110"><h4 class="sectiontitle">Prerequisites</h4><ul id="GBase_8a_00024__en-us_topic_0000001792344098_ul1614193821113"><li id="GBase_8a_00024__en-us_topic_0000001792344098_li17141338161114">You can create an IPsec policy only when the replication network is an IP network.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li17586815116">You can create an IPsec policy only when the replication network IP address is an IPv4 address.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li82609552112">You cannot create an IPsec policy if the logical port of the replication network is created on a bond port containing members from different interface modules.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li169781538433">Only SmartIO interface modules (10 Gbit/s) support IPsec policies.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li7365115692115">To ensure that a remote device can be added normally after an IPsec policy is created, the maximum transmission unit (MTU) of the switch ports must be greater than that of the storage ports at both ends.</li></ul>
</div>
<div class="section" id="GBase_8a_00024__en-us_topic_0000001792344098_section135599911160"><h4 class="sectiontitle">Procedure</h4><ol id="GBase_8a_00024__en-us_topic_0000001792344098_ol65154559312"><li id="GBase_8a_00024__en-us_topic_0000001792344098_li48818642118"><span>Log in to DeviceManager of the primary and secondary storage systems separately.</span><p><ul id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_ul1899151343111"><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_li19991413113118">For OceanProtect X series backup appliances, perform the following operations:<ol type="a" id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_ol5625945183219"><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_li84033442337">Choose <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b124231410468">System</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b233321694610">Infrastructure</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b1744421834613">Cluster Management</strong>.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_li938315412338">On the <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b4329457314">Backup Clusters</strong> tab page, click a node name under the <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b1632917571116">Local Cluster Nodes</strong> area.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_li9647100173410">On the displayed <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b0285722121516">Node Details</strong> page, click <strong id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_b142851122171511">Open the device management platform</strong> to go to DeviceManager.</li></ol>
</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0000001839223165_li15921125623118">For OceanProtect E1000 (with the OceanProtect used as backup storage), log in to DeviceManager of the backup storage device by referring to <a href="en-us_topic_0000001913343113.html">Logging In to DeviceManager</a>.</li></ul>
</p></li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li0209128194"><span>Set the security type of the interface module to IPsec.</span><p><ol type="a" id="GBase_8a_00024__en-us_topic_0000001792344098_ol1788419251018"><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0145458794_en-us_topic_0127771727_li24773389">Choose <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b14952673065248">System</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b1347745485248">Hardware</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b21007130715248">Devices</strong>.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li20556718142213">Click the controller enclosure that houses the desired interface module.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0145458825_en-us_topic_0127772045_li39598310">Click <span><img id="GBase_8a_00024__en-us_topic_0000001792344098_image15291154112015" src="en-us_image_0000001839223225.png"></span> to switch to the rear view of the storage device.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_en-us_topic_0145458825_en-us_topic_0127772045_li53346567">Click the desired interface module.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li361555923412">On the page that is displayed, choose <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b10706076275248">Operation</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b2792277635248">Switch Security Type</strong>.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li1062520132616">Select <span class="uicontrol" id="GBase_8a_00024__en-us_topic_0000001792344098_uicontrol2709198985248"><b>IPsec</b></span>.<p id="GBase_8a_00024__en-us_topic_0000001792344098_p1912565416127">When <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b20997124115248">Security Type</strong> is <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b3208247935248">IPsec</strong>, TOE is disabled for all ports on the interface module and cannot be enabled independently.</p>
</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li397216280297">Confirm your operation as prompted.</li></ol>
</p></li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li2515195513112"><span>Choose <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b16189325205248">Services</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b2334195125248">Network</strong> &gt; <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b2022417425248">Logical Ports</strong>.</span></li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li7584122818912"><span>Select the replication network logical port for which you want to create an IPsec policy and click <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b11192891425248">Manage IPsec Policy</strong>.</span></li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li11351258994"><span>Click <span class="uicontrol" id="GBase_8a_00024__en-us_topic_0000001792344098_uicontrol1664625018236"><b>Create</b></span> to create an IPsec policy.</span><p><p id="GBase_8a_00024__en-us_topic_0000001792344098_p69242292100"><a href="#GBase_8a_00024__en-us_topic_0000001792344098_table1688015148293">Table 1</a> describes the related parameters.</p>

<div class="tablenoborder"><a name="GBase_8a_00024__en-us_topic_0000001792344098_table1688015148293"></a><a name="en-us_topic_0000001792344098_table1688015148293"></a><table cellpadding="4" cellspacing="0" summary="" id="GBase_8a_00024__en-us_topic_0000001792344098_table1688015148293" frame="border" border="1" rules="all"><caption><b>Table 1 </b>IPsec policy parameters</caption><colgroup><col style="width:24.07%"><col style="width:75.92999999999999%"></colgroup><thead align="left"><tr id="GBase_8a_00024__en-us_topic_0000001792344098_row148809148293"><th align="left" class="cellrowborder" valign="top" width="24.07%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="GBase_8a_00024__en-us_topic_0000001792344098_p17880214122914">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.92999999999999%" id="mcps1.3.3.2.5.2.2.2.3.1.2"><p id="GBase_8a_00024__en-us_topic_0000001792344098_p38809143293">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="GBase_8a_00024__en-us_topic_0000001792344098_row1588010144293"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p12788144711440">Name</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p7787154734410">IPsec policy name.</p>
</td>
</tr>
<tr id="GBase_8a_00024__en-us_topic_0000001792344098_row1330314544416"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p19786124711440">Remote IP Address</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p748615262717">Replication network IP address of the secondary storage device over the replication link.</p>
<p id="GBase_8a_00024__en-us_topic_0000001792344098_p1776619474444">Only IPv4 addresses are supported. A maximum of 32 IP addresses can be entered. Use semicolons (;) or spaces, or press <strong id="GBase_8a_00024__en-us_topic_0000001792344098_b10609882735248">Enter</strong> to separate multiple IP addresses.</p>
<div class="note" id="GBase_8a_00024__en-us_topic_0000001792344098_note08068289815"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="GBase_8a_00024__en-us_topic_0000001792344098_p1806152817819">After the IPsec policy is created, you can add new IP addresses or delete existing IP addresses by modifying the IPsec policy.</p>
</div></div>
</td>
</tr>
<tr id="GBase_8a_00024__en-us_topic_0000001792344098_row12535134518443"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p3535154584414">Encryption Algorithm</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p1536445194420">Encryption algorithm used for data transmission. The encryption algorithms at both ends of a replication link must be the same. Data encryption algorithms include AES and SM4.</p>
<div class="note" id="GBase_8a_00024__en-us_topic_0000001792344098_note717731711919"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="GBase_8a_00024__en-us_topic_0000001792344098_p117731720191">Some product models do not provide encryption algorithm settings. For models that do not provide encryption algorithm settings, the AES algorithm is used by default for encryption.</p>
</div></div>
</td>
</tr>
<tr id="GBase_8a_00024__en-us_topic_0000001792344098_row1267015458442"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p56701145124418">Pre-shared Key</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="GBase_8a_00024__en-us_topic_0000001792344098_p84261148269">User-defined pre-shared key. The pre-shared keys at both ends of a replication link must be the same.</p>
<p id="GBase_8a_00024__en-us_topic_0000001792344098_p14670650612">[Value range]</p>
<ul id="GBase_8a_00024__en-us_topic_0000001792344098_ul567085762"><li id="GBase_8a_00024__en-us_topic_0000001792344098_li76705510612">The value contains 16 to 127 characters.</li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li196701553613">The value must contain at least two of the following types: special characters, uppercase letters, lowercase letters, and digits. Special characters include !"#$%&amp;'()*+,-./:;&lt;=&gt;?@[\]^`{_|}~ and spaces.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="GBase_8a_00024__en-us_topic_0000001792344098_li159813261107"><span>Click <span class="uicontrol" id="GBase_8a_00024__en-us_topic_0000001792344098_uicontrol165011712112720"><b>OK</b></span>.</span><p><div class="note" id="GBase_8a_00024__en-us_topic_0000001792344098_note12248146121112"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="GBase_8a_00024__en-us_topic_0000001792344098_p15167204592113">If an IPsec policy is no longer needed, delete it from both storage devices. When you delete it on one storage device, the replication service will be interrupted. After you delete it on the other storage device, the replication service will recover automatically. Therefore, you are advised to delete an IPsec policy when no replication service exists and delete it from both storage devices at a short interval.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="GBase_8a_00021.html">Replicating a GBase 8a Database Copy</a></div>
</div>
</div>

<div class="hrcopyright"><hr size="2"></div><div class="hwcopyright">Copyright &copy; Huawei Technologies Co., Ltd.</div></body>
</html>